WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 2757 2019-10-31 17:59:21Z rexy $
+#  $Id: alcasar.sh 2758 2019-11-03 23:17:20Z rexy $
 # alcasar.sh
 # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 # This script is distributed under the Gnu General Public License (GPL)
 #  team@alcasar.net
 	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
 	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
 	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
 	chown -R apache:apache /var/log/lighttpd
-	/usr/bin/systemctl start lighttpd
+#	/usr/bin/systemctl start lighttpd
-	/usr/bin/systemctl start php-fpm
+#	/usr/bin/systemctl start php-fpm
 # Creation of the first account (in 'admin' profile)
 	if [ "$mode" = "install" ]
 	then
 		header_install
 	secret = $secretradius
 	shortname = chilli
 	nas_type = other
+}
 EOF
+# Set Virtual server
-# Set Virtual server (remvove all except "alcasar virtual site")
+    # Remvoveing all except "alcasar virtual site")
-	rm -f /etc/raddb/sites-enabled/*
+	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
 	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
 	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
 	chown radius:apache /etc/raddb/sites-available/alcasar*
 	chmod 660 /etc/raddb/sites-available/alcasar*
+	rm -f /etc/raddb/sites-enabled/*
 	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
-	# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
 # Set modules
 	# Add custom LDAP "available module"
+	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
 	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
 	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
 	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
 	rm -rf  /etc/raddb/mods-enabled/*
 	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
 	do
 		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
 	done
-	# INFO : To connect from outside (EAP), add the EAP module (and right accesses to the keys (/etc/pki/tls/private/radius.pem)
-# Configure SQL mod
+# Configure SQL module
 	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
 	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
 	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
 	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
 	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
 	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
 	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
 	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
+	# no TLS encryption on 127.0.0.1
+	$SED "s?^[\t] ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
+	$SED "s?^[\t] ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
+	$SED "s?^[\t] ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
+	$SED "s?^[\t] ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
+	$SED "s?^[\t] ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
+	$SED "s?^[\t] ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
 # queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
 	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
 	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
 	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
 # sqlcounter modifications
 ################################################################
 e2guardian()
+{
 	mkdir -p /var/e2guardian /var/log/e2guardian
 	chown -R e2guardian /var/e2guardian /var/log/e2guardian
+# Adapt systemd unit
+[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
 	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
 	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
 	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
-# By default the filter is off
+# Adapt the main conf file
-	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
 # French deny HTML page
 	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
 # Listen only on LAN side
 	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
-# DG send its flow to HAVP
+# The port that E2guardian listens to
-	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
+	$SED "s?^filterports =*?filteports = 8080?g" $DIR_DG/e2guardian.conf
-# replace the default deny HTML page
+# DG send its flow to HAVP (127.0.0.1:8090)
-	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
+	$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
-	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
+	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
 # Don't log
 	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
-# # Change the default report page
-	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
 # Disable HTML content control
 	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
 	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
-	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
+	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
 # Disable URL control with regex
 	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
-	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
+	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
-# Configure E2guardian for large site
-# Minimum number of processus to handle connections
-	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
-# Maximum number of processus to handle connections
-	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
-# Run at least 8 daemons
-	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
-# minimum number of processes to spawn
-	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
-# maximum age of a child process before it croaks it
+# Adapt the first group file (only one for instance)
-	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
-# Disable download files control
 	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
+# Reporting (deny page) in HTML
-	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
+	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
+# Replace the default deny HTML page (only fr & uk)
+	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
+	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/french/template.html.default
+	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
+	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
+# Dont filtering files by extension or mime-type (empty list)
 	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
 	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
 	touch $DIR_DG/lists/bannedextensionlist
 	touch $DIR_DG/lists/bannedmimetypelist
-# 'Safesearch' regex actualisation
-	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
-# empty LAN IP list that won't be WEB filtered
+# Empty LAN IP list that won't be WEB filtered
 	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
 	touch $DIR_DG/lists/exceptioniplist
-# Keep a copy of URL & domain filter configuration files
+# Creation of ALCASAR banned site list
 	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
+	cat <<EOF > $DIR_DG/lists/bannedsitelist
+# E2guardian domain filter config for ALCASAR
+# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
+#**
+# block all SSL and CONNECT tunnels
+**s
+# block all SSL and CONNECT tunnels specified only as an IP
+*ips
+# block all sites specified only by an IP
+*ip
+EOF
+# Creation of ALCASAR banned URL list (empty)
 	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
+	cat <<EOF > $DIR_DG/lists/bannedurllist
+# E2guardian filter config for ALCASAR
+EOF
+# Creation of file for the rehabilited domains and urls
+	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
+	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
+	touch $DIR_DG/lists/exceptionsitelist
+	touch $DIR_DG/lists/exceptionurllist
+# Add Bing to the safesearch url regext list (parental control)
+	[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
+	cat <<EOF >> $DIR_DG/lists/urlregexplist
+# Bing - add 'adlt=strict'
+#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
+EOF
+# 'Safesearch' regex actualisation
+	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
+# change the google safesearch ("safe=strict" instead of "safe=vss")
+	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
 } # End of e2guardian()
 ##################################################################
 ##                     Function "antivirus"                     ##
 ## - Set the parameters of havp, libclamav and freshclam        ##
+{
 	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
 	rm -rf $DIR_DG/lists/blacklists
 	mkdir -p /tmp/blacklists
 	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
-# creation of file for the rehabilited domains and urls
-	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
-	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
-	touch $DIR_DG/lists/exceptionsitelist
-	touch $DIR_DG/lists/exceptionurllist
-# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
-	cat <<EOF > $DIR_DG/lists/bannedurllist
-# E2guardian filter config for ALCASAR
-EOF
-	cat <<EOF > $DIR_DG/lists/bannedsitelist
-# E2guardian domain filter config for ALCASAR
-# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
-#**
-# block all SSL and CONNECT tunnels
-**s
-# block all SSL and CONNECT tunnels specified only as an IP
-*ips
-# block all sites specified only by an IP
-*ip
-EOF
-# Add Bing to the safesearch url regext list (parental control)
-	cat <<EOF >> $DIR_DG/lists/urlregexplist
-# Bing - add 'adlt=strict'
-#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
-EOF
-# change the google safesearch ("safe=strict" instead of "safe=vss")
-	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
 # creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
 	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
 	touch $DIR_DG/lists/blacklists/ossi-bl/domains
 	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
 	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
 			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
 			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
 			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
 			mode="update"
 		fi
-		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
+		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
 		do
 			$func
 			if [ $DEBUG_ALCASAR == "on" ]
 			then
 				echo "*** 'debug' : end of install '$func' ***"

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2757 → 2758